Using vecs-cli to manage VMware Certificate Endpoint Store (VECS) instances
VMware introduced a brand new certificate architecture to ease the process of implementing certificates in vSphere 6.0. I have outlined the new architecture changes and the process of Replacing Certificates in vSphere 6.0 already, but I wanted to go through some of the VECS-CLI commands for anyone that was interested in diving deeper into the certificate architecture.
The VMware Certificate Endpoint Store (VECS) is is a repository for SSL certs and private keys. VECS is a requirement for vCenter Server, so you must use it, unlike the VMware Certificate Authority (VMCA), which is optional. Regardless of your topology for vSphere 6.0, VECS will run on every Platform Services Controller (PSC) and Management node (vCenter Server) whether it’s embedded or not. There are a few different types of default stores in VECS.
Default Stores
Machine SSL Store (MACHINE_SSL_CERT)
This store is used by the Reverse HTTP (RHTTP) proxy. vSphere 6 services now communicate through this proxy which makes things a lot easier as you can replace this certificate alone and all the endpoints communicate through this trusted ssl certificate.
Trusted root store (TRUSTED_ROOTS and TRUSTED_ROOT_CRLS)
This store contains all of your trusted root certificates.
Solution User Stores (machine, vpxd, vpxd-extension, vsphere-webclient, sms)
There are five solution users in vSphere 6 – machine, vpxd, vpxd-extensions, sms, and vSphere web client. As with previous version of vSphere, these certificates need to be unique in some way. Typically the Distinguished Name (DN) will have a different Organizational Unit (OU), for example FQDN-vCenter. These certificates are used for authentication with Single Sign-On (SSO). The machine endpoint is used by the logging service, component manager, and license server; the vpxd soltuion user is for vCenter Server; the vpxd-extensions solution user is used by Auto Deploy, and Inventory Service; the sms certificate is for storage monitoring service, and the vsphere-webclient solution is used for – you guessed it – the vSphere Web Client.
Sphere Certificate Manager Utility backup store (BACKUP_STORE)
This store creates a backup of the most recent state of the certificates that you can restore. Unfortunately, at this point, it will only create one restore step, but it is still useful.
Other
There is also an option to create your own stores. I can’t think of any use cases at this point other than third party solutions using VECS, but the option is there in case you can think of a good reason to create a new store.
vecs-cli.exe
Let’s get into the good stuff – Command Line! vecs-cli allows you to list, delete, and create stores and entries in the store, modify permissions of a store, get certificates and private keys from a store, and refresh VECS to snyc with vmdir. Let’s go through some examples.
VECS-CLI is located in the following directories, based on if you are using Windows, or the appliance.
Windows
C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe
SUSE Linux
/usr/lib/vmware-vmafd/bin/vecs-cli
To see the full list of commands, you can use the ‘help’ argument.
c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe help
To see a list of your current stores, you can run the following command.
c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vpxd
vpxd-extension
vsphere-webclient
SMS
BACKUP_STORE
Once you have a list of all of your current stores, you can output the certificates and private keys in that store by running the following commands. I’ll grab the certificate information from vpxd. It states that the alias is optional, but I had to specify it to get it work.
Note: I will be truncating my certificate information.
c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe entry getcert --store vpxd --alias vpxd
-----BEGIN CERTIFICATE-----
MIIDqjCCApKgAwIBAgIJAO1QMuJgzg01MA0GCSqGSIb3DQEBCwUAMFkxCzAJBgNV
BAYTAlVTMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkW
BWxvY2FsMQ0wCwYDVQQKEwRQU0MxMQswCQYDVQQDEwJDQTAeFw0xNTA0MDMyMTIw
c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe entry getkey --store vpxd --alias vpxd
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDUgddhYHgNxTAR
HRrayI3uHyRNpl5LNGepM3xjw1u/bT4BqHJD7/HVgIpPxayZM/f010CG7PbMM72T
etAUuNPf1pQFyf2MY3RtLPnR5ptWXXQKSREp16/zapg2cMyfv5gjrOs5WxsjOEjo
Creating and deleting stores in VECS is pretty easy. To do so, run the following commands.
c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store create --name NewStore Successfully created store [NewStore] c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store list MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient SMS BACKUP_STORE NewStore c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store delete --name NewStore Warning: This operation will delete store [NewStore] Do you wish to continue? Y/N [N] Y Successfully deleted store [NewStore] c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store list MACHINE_SSL_CERT TRUSTED_ROOTS TRUSTED_ROOT_CRLS machine vpxd vpxd-extension vsphere-webclient SMS BACKUP_STORE
If you would like to grant read or write permissions for specific users, you can use the following commands. If you would like to revoke access, you can change ‘grant’ to ‘revoke’
c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store get-permissions --name vpxd PERMISSIONS FOR STORE: [vpxd] OWNER : SYSTEM USER ACCESS vmware-vpx-workflow read c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store permission --name vpxd --user administrator --grant write Permissions for store [vpxd] set successfully c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store get-permissions --name vpxd PERMISSIONS FOR STORE: [vpxd] OWNER : SYSTEM USER ACCESS Administrator write vmware-vpx-workflow read c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store permission --name vpxd --user administrator --revoke write Permissions for store [vpxd] set successfully c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe store get-permissions --name vpxd PERMISSIONS FOR STORE: [vpxd] OWNER : SYSTEM USER ACCESS vmware-vpx-workflow read
It’s also possible to create or delete entries in the stores. You will need to have created a certificate and private key and need to provide the paths to each file.
vecs-cli entry create --store vpxd --alias vpxd --cert vpxd.crt --key vpxd.key
Finally, you can force a refresh of information from vmdir. This command is pretty simple.
c:\Program Files\VMware\vCenter Server\vmafdd>vecs-cli.exe force-refresh
Hopefully this helps everyone who is interested in playing around with VECS get started. If you would like more information, you can review the vecs-cli Command Reference
4 Comments
Please put some article on Vsphere 6 different type of Vmotion.
Hi Sourav,
Good idea, I will get to it when I get the chance, thank you for the suggestion!
Sean
vecs-cli.exe entry getcert –store MACHINE_SSL_CERT –alias MSSLCERT
vecs-cli failed. Error 4312: Possible errors:
LDAP error: Unknown (extension) error
Win Error: The object identifier does not represent a valid object.
any ideas please? thanks!
Just got the same error! Did you ever find a fix?